In the early days using the initial versions of this plugin…
I found that testing the LSS plugin and attempting failed passwords via my single connection (read single IP address) caused some of these same issues.
I believe this was because my IP address was in the “failed attempts” table and therefore classed my IP as “bad” and correctly forced me to change my password when I successfully entered the correct password.
From what I read in these forums some users descriptions of problems sound like this is happening.
I would say – after testing the plugin clear out the wp_login_security_solution_fail table.
Maybe this is your issue – maybe not.
I’m sure you will get more input from the plugin author in due course (a very busy guy).
Cheers,
Dean.
Thread Starter
Gregg
(@lorax)
Thanks for the info. That’s rather concerning if I understand you correctly, because this is a WP Network for a University. All of the users come from a single IP – so if one of them messes up, then all of us blocked. Is there a way to white list IPs?
Actually yes, there is an automatic whitelist on a per-user basis.
It was described in a previous forum post, for your reference:
The plugin has an automatic whitelist process. Whenever someone updates their password, the IP is stored for future reference. Notices may still get sent depending on the timing of attacks and legitimate logins, so users can make sure nothing bad is happening…
And checking the source code I also noted the following:
Note: saves up to 10 addresses, duplicates are not stored.
This white-listing of IP addresses occurs on a per-user basis, these are called “verified IP’s” in the code.
So you will likely see some requests for password resets if your users are coming from the same IP, but after the password is reset – that IP is whitelisted for that user. So that user will not be troubled again when logging in from that IP.
Please note this information is specific to version 0.35.0, things do change based on user feedback – but always with security in mind and after careful consideration by the plugin author.
Cheers.
Thread Starter
Gregg
(@lorax)
Hi Dean,
Thanks again for taking the time to help. The issue is we did reset our passwords but none of us were able to login again. I know at least 2 other users on that network attempted to reset passwords but not one of them was able to get in. I will look into the white listing of IPs and see if I can clear the errors from the db today.
Thanks
Take a backup of the table – perhaps it might be useful to diagnose what actually happened.
Thread Starter
Gregg
(@lorax)
Right. I’ll start with the table itself and the white list options. Then if not real results in there, then hope the author can stop by and lend a hand.
Thread Starter
Gregg
(@lorax)
After looking at the logs, it’s apparent the site was undergoing a botnet attack during the 30 minutes the LSS was running. Dozens of attempts from outside IPs trying to gain access using the default admin user. More to come as I dig deeper.
Expect to be attacked! It’s just the norm.
Here are some numbers from my simple no-name test installation with one user (me) which was installed the same time as LSS, you can see the increase in failure attempts over time:
SELECT count(*), DATE_FORMAT(date_failed, '%Y-%m') FROM wp_login_security_solution_fail GROUP BY DATE_FORMAT(date_failed, '%Y-%m')
Month Failed Count
2012-07 109
2012-08 277
2012-09 2848
2012-10 359
2012-11 2480
2012-12 568
2013-01 502
2013-02 4134
2013-03 11340
2013-04 2979
Thread Starter
Gregg
(@lorax)
I do!
SO I see two tables that track failed logins.
login_fails & then login_security_solution (not full table names). Which one can I delete our users from?
Assuming you are using the default table name
prefix of, wp_: wp_login_security_solution_fail
wp_login_security_solution_fail is the only table LSS currently creates anything else would likely be from another plugin.
Thread Starter
Gregg
(@lorax)
Clearing out that table of entries that came from our users worked. We’re now able to login again. I think what happened is because we had 3 users on the same IP address all attempting to work through the login/authentication process at the same time, it tripped the security flags and banned us all.
Live and learn. Now I know how to resolve the issue and that’s I needed. Thanks again for your help Dean.
this is a WP Network for a University. All of the users come from a single IP
Each computer gets a separate IP address.
Hi Daniel,
Just to clarify I believe Lorax means the following…
I have actually experienced this before, some corporations and educational establishments do actually proxy all users through a single IP address.
This means to a website hosted outside of the internal network all users appear to be from a single IP address, the IP of the proxy.
Cheers,
Dean.
Ouch! My sympathies.
In that case, lorax may want to take the advice in the FAQ about the server being behind a proxy, and then tweak it to just check the HTTP_X_FORWARDED_FOR for addresses from the university.
